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Abstract. In this paper, we present a variant of Waters' Identity-Based Encryption 
scheme with a much smaller public-key size (only a few kilobytes). We show that this 
variant is semantically secure against passive adversaries in the standard model. 

In essence, the new scheme divides Waters' public key size by a factor £ at the cost 
of (negligibly) reducing security by £ bits. Therefore, our construction settles an open 
question asked by Waters and constitutes the first fully secure practical Identity-Based 
Encryption scheme 1 . 

1 Introduction 

The concept of Identity-Based Encryption (ibe) was invented by Shamir in 1984 
p. It allows a party to encrypt a message using the recipient's identity as a 
public key The corresponding private-key is provided by a central authority. 
The advantage of ibe over conventional public-key encryption is that it avoids 
certificate management, which greatly simplifies the implementation of secure 
communications between users. With an ibe scheme, users can simply use their 
email addresses as their identities. Moreover, the recipient does not need to be 
online to present a public-key certificate before the sender encrypts a message, 
and the sender does not have to be online to check the validity of the certificate. 

There are currently two ibe security notions. The stronger notion, called 
semantic security against passive adversaries (IND-ID-CPA), was introduced by 
Boneh and Franklin in [2]. As per this notion, the adversary can request the 
private keys for identities of his choosing; eventually he must be able to dis- 
tinguish the encryption of two messages for an identity he decides of 2 . This 
notion will be described in detail in section |21 A weaker notion of security, in- 
troduced by Canetti, Halevi and Katz in |5|6j . is called selective-ID semantic 
security against passive adversaries (IND-slD-CPA). As per this notion, the ad- 
versary must commit ahead of time to the identity that it will attack, that is, 
before he receives the public parameters. In this paper, an ibe scheme satisfying 
the stronger notion will be called fully secure. The present paper's goal is to 
construct a practical and fully secure ibe scheme. 

1 Work done while the author was employed by Gemplus (Gemplus patent pending) 

2 Of course, different from the identities whose private keys he requested. 



There are several security models for public-key cryptosystems. The random 
oracle model has been introduced by Bellare and Rogaway as a "paradigm 
for designing efficient protocols" pQ. It assumes that all parties, including the 
adversary, have access to a public, truly random hash function H. In practice, 
this ideal hash function H is instantiated as a concrete cryptographic hash 
function (for example, SHA-1 |Sj). This model proved to be extremely useful 
for designing simple, efficient and highly practical solutions for many problems. 
However, from a theoretical perspective, it is clear that a security proof in the 
random oracle model is only a heuristic indication of the system's security when 
instantiated with a particular hash function such as SHA-1. 

A contrario, in the standard model, one does not assume idealized oracle 
accesses. In the standard model, security is proven using only standard com- 
plexity assumptions. Consequently, from a security perspective, a proof in the 
standard model is preferable to a proof in the random oracle model. Therefore, 
an important research direction in modern cryptography is the construction of 
cryptosystems provably secure in the standard model, with an efficiency com- 
parable to what can be achieved in the random oracle model. In this article an 
ibe scheme will be (sub silentio) called fully secure if it is fully secure in the 
standard model. Our goal is to construct a practical and fully secure ibe. 

The first efficient identity-based encryption scheme was proposed by Boneh 
and Franklin at crypto 2001 The Boneh- Franklin scheme is fully secure in 
the random oracle model. This scheme and all subsequent ibe schemes (except 
one exotic species [Z]) are based on bilinear maps; the only known construction 
of bilinear maps is based on the Weil or the Tate pairing over certain families of 
elliptic curves. Since then, Boneh and Boyen proposed at eurocrypt 2004 an 
ibe scheme secure without random oracles, but reaching only selective ID secu- 
rity PJ. Boneh and Boyen also proposed at crypto 2004 an ibe scheme fully 
secure in the standard model (i.e. without random oracles), but their scheme 
is too inefficient to be practical. Finally, the first practical and fully secure ibe 
scheme was proposed at EUROCRYPT 2005 by Waters jTU]. Encryption and de- 
cryption are very efficient since only a few exponentiations and bilinear map 
computations are required. 

However, a drawback of Waters' scheme is that the size of the public param- 
eters is very large: namely, the public parameters contain n + 4 group elements, 
where n is the size of the bit-string representing identities. Since n can be the 
output of a hash-function, we must take at least n = 160. Moreover, when an 
Elliptic Curve over is used (the simpler setting), the size of a group element 
must be at least 1024 bits, to attain a security level equivalent to a 1024-bit 
RSA. Therefore, each participant must store at least 164 kilobytes of public pa- 
rameters, which is prohibitive for most present-day "normal" smart card. In the 
conclusion of his EUROCRYPT 2005 paper ^U|, Waters states that finding an 
efficient identity-based encryption scheme secure without random oracles with 
short public parameters is an open problem. 
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This paper solves this open problem and introduces a variant of Waters' 
scheme with a much smaller public-key size (only a few kilobytes) . Eo ipso, we 
define the first practical identity based encryption Scheme, semantically secure 
against passive adversaries in the standard model. 



2 Definitions 

In this section we first recall the definition of an ibe scheme. We then recall the 
definition of semantic security against passive adversaries for ibe, introduced in 

An IBE consists scheme of four algorithms : 

— Setup : the Setup algorithm generates the system's public parameters, de- 
noted by params, and a private master key denoted master-key. 

— Keygen : the Keygen algorithm takes as input an identity v and outputs the 
private key d v for identity v, using master-key. 

— Encrypt : the encryption algorithm encrypts messages for an identity v using 
params. 

— Decrypt : the decryption algorithm decrypts ciphertexts for identity v using 
the private-key d v . 

The semantic security of an ibe scheme is defined through the following 
scenario between an attacker A and a challenger C : 

— Setup : C generates the master public parameters and gives them to A. 

— Phase 1 : A can request the private-key corresponding to an identity v of 
his choice. A can repeat this multiple times for different identities. 

— Challenge : A submits an identity v*, different from the identities in Phase 
1, and two messages m and mi. C flips a coin b and returns the encryption 
of nib under identity v*. 

— Phase 2 : Phase 1 is repeated with the restriction that A cannot request the 
private key for v*. 

— Guess : A submits a guess b' for b. 

This completes the description of the scenario. The advantage of an adver- 
sary A in breaking the scheme is defined as : 



Adv(A) 



Pv[b' = b) - ~ 



where the probability is taken over the adversary's random coins and the chal- 
lenger's random coins. 

Definition 1 (ibe semantic security). An ibe scheme is said to be (t,q,e)- 
semantically secure if all t -time adversaries making at mostq private key queries 
have an advantage at most e in breaking the scheme. 
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3 Complexity Assumptions 



The new construction is based on bilinear maps. In this section, we recall known 
facts and complexity assumptions on bilinear maps; the reader is referred to [2 
for more details. 

Let G and Gi be groups of prime order p and let g be a generator of G. We 
say that G has a bilinear map e : G x G — > Gi if the following conditions hold : 
e is efficiently computable, e is bilinear, that is e(g a ,g b ) = e(g,g) ab for all a, b 
and e is non-degenerate, that is e(g,g) ^ 1. 

The Bilinear Diffie-Hellman problem is defined as follows : 

Definition 2 (Bilinear Diffie-Hellman Problem (bdh)). Given the A-uple 
(g,g a ,g b ,g c ) where a,b,c <— Z p , output e(g , g) abc . 

The decisional version is defined in the usual manner : 

Definition 3 (Decisional Bilinear Diffie-Hellman Problem (dbdh)). Let 

g,g a ,g b ,g c defined as previously. Let (3 be a random binary coin. Let z = 
e {.9i9) ahc if ft — 1; an d let z be a random element in Gi otherwise. Given 
(9,9 a ,9 b ,9 c ,z), output a guess (3' of (3. 

We say that an algorithm as an advantage e in solving dbdh if 

Pr[/3' = /3]-l >e 



Definition 4 (dbdh Assumption). We say that the (t, e) -dbdh assumption 
holds in G if no t-time algorithm has an advantage at least e in solving the 
dbdh problem in G. 

4 The New Idea 

The following describes a new practical and fully secure ibe scheme. 

The new scheme is a variant of Waters' ibe, but with shorter public pa- 
rameters. Let G be a group of prime order p, let g be a generator of G, and 
let e be an admissible bilinear map into Gi. Identities will be represented as 
n dimensional vectors v = (fi, . . . ,v n ) where each Vi is an £-bit integer. The 
integers n and i are parameters unrelated to p, and n' = n ■ i is the output 
length of a collision-resistant hash function H : {0, 1}* — > {0, l} n . 

Setup : A secret a e Z p is chosen at random. One sets g\ = g a and #2 is chosen 
randomly in G. One chooses a random u'eG and a random n dimensional vec- 
tor U = (ui) whose elements are randomly chosen in G. The public parameters 
are g,g\,g2,u' and U. The master secret is g%. 
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Keygen : Let v = (v\, . . . , v n ) G ({0, l} a ) n be an identity. Let r be random in 
Z p . The private key d v for identity v is constructed as : 

Encryption : A message m is encrypted for identity v as follows. A value t is 
chosen at random in Z p . The ciphertext is then : 

c= (e( gi ,g 2 y -m,g\ ^u'JJu? 

Decryption : Let c = (01,02,03) be an encryption of m under identity v. The 
ciphertext c can then be decrypted using d v = (di, d 2 ) as : 

e(d2,c 3 ) t e(gr,(u'Yl<r) 

ci—, tt = e{9u92) ■ m 



"e(c2,di) e{g t ,g^{u']\u v i 

st <g,(u'Uu?) rt ) 

e{gi,g2) t e{g,{u'[[u i t ) rt ) 

m 



4.1 How Does The New Cryptosystem Relate to Waters' Scheme? 

Our construction is a modification of the Waters' scheme jTU]- Namely, in Wa- 
ters' scheme, to encrypt a message for identity v = (v 1, . . . , v n /) G {0, l} n , one 
computes the product : 

u' ■ Y[ u i 

Vi=l 

where U = {u\, . . . , u n r) is an n' dimensional public vector. 

The new construction encodes identities dimensional vectors v = 

(v 1, . . . , v n ) where each Vi is a £-bit integers and n ■ I = n', and computes the 
modified product : 

n 

"'•IK 

1=1 

where U = (u\, . . . , u n ) is now an n dimensional public vector. Therefore, the 
size of the public vector U is slashed by a factor n' / n = £. 

4.2 Performance 

The size of the public parameter is n + 4 group elements, where n' = n ■ i is 
the output size of a collision-resistant hash-function. If the value e(g%, g 2 ) is pre- 
computed, encryption requires the equivalent of one exponentiation in Gi and 
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three exponentiations in G. Decryption requires two bilinear map computations, 
one group operation Gi and one inversion in Gi. 

Compared to Waters' scheme, the public parameter size is shrunk by a factor 
i\ encryption and decryption are almost as efficient as in Waters' scheme. 



5 Security Proof 

The following theorem proves that the new cryptosystem is fully secure in the 
standard model, under the Decisional Bilinear Diffie-Hellman Assumption. 

Theorem 1. The new ibe construction is (t, q, e)-semantically secure, assum- 
ing that the (£', e')-DBDH assumption holds, where : 

t = t , -C(£- 2 ln( £ - 1 )A- 1 ln(A- 1 )) 



e = q.2 e+4 -n-e' 



where X = l/(q ■ 2 £+2 



n 



Proof. The security proof is very similar to Waters' proof given in [TO] . 

Assume that there exists a (t, q, e) adversary A. We construct a simulator 
B that solves the dbdh problem with advantage at least e'. The simulator B 
receives the dbdh challenge (g, A = g a ,B = g b ,C = g c ,z) and must output a 
guess j3' as to whether z = e(g,g) abc {(3 = 1) or z is a random element in Gi 
(/3 = 0). As in [TU] we first describe a simulator B that does not quite work, 
and then we slightly modify it so that it works. 

Setup: The simulator B first sets an integer m = 2q and chooses randomly: 

an integer k (0 < k < 2 e ■ n — 1). 

an n dimensional vector ) (where < Xj < m — 1) 

an integer x 1 (where < x' < m — 1). 

and an n dimensional vector y = (yi, . . . , y n ) (where each yi G Z p ) 
For an identity v — (vx, . . . , v n ), we define the functions : 

■n 

F(v) = x' + Vi ■ Xi — m ■ k 

i=l 
n 

J{v) = y' + ^Vi ■ yi 



i=l 



The simulator lets g\ = A and g<i = B. It then defines the public param- 
eters v! = g%~ km g y ' and Ui = g^g Vi - Therefore, the distribution of the public 
parameters is the same as in the attack scenario. 
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We have that for any identity v 



«'-n^=^ ( v w (2) 



i=i 



The following equality, valid if F(v) ^ mod p, will be used to answer the 
private-key queries : 



F(v) 



U<) =9i-9l {v),F{v) (3) 



i=i 



Phase 1: The simulator B must answer the private key queries of A. Consider a 
query for identity v. To answer this query, it would be sufficient to have F(v) ^ 
mod p. We observe that since — p < F(v) < p, we have that F(v) = mod p 
implies F(v) = and therefore F(v) = mod m. Here we only answer the 
private-key query if F(v) ^ mod m, which implies F(v) ^ mod p. In this 
case, B generates a random r in Z p and constructs the private key d v as follows : 



=i 



Letting r' = r — a/F(v) and using (jHJ), one obtains 

which shows that d v is a valid private key for identity v, with the same distri- 
bution as in the attack scenario. 

Otherwise, if F(v) = mod m, then the simulator B aborts and outputs a 
random bit (3' as its guess for (3. 

Challenge: The adversary submits two message mo and m\ and an identity v*. 
Again, we distinguish two cases : if F(v*) ^ mod p, then the simulator B 
aborts and outputs a random bit (3'. Otherwise, the simulator flips a fair binary 
coin 7 and constructs the ciphertext : 

If B was given a legitimate bdh tuple, i.e. if z = e(g,g) abc , then by virtue of 
equation (J2J) and F(v*) = mod p we have : 



T= (e(g,g) abc -m^g c ,g cJ ^) = (e(g u g 2 ) c ■ m„ g c , (u'l[u?y) 

This shows that the ciphertext T is a valid encryption of m 7 with the same 
distribution as in the attack scenario. Otherwise, we have that z is a random 
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element of Gi, which implies that the adversary obtains no information about 
7 whatsoever. 

Phase 2: The simulator B repeats the same operation as in Phase 1. 

Guess: The adversary outputs a guess 7' for 7. If 7 = 7', the simulator B outputs 
(3' — 1, otherwise it outputs (3' = 0. 

This completes the description of simulator B. As in [lOj, the problem with 
simulator B is that it aborts with a probability that is a function of the queried 
identities v and v*. Therefore, even if Prpy' = 7] > \ + e in the real attack 
scenario, we might have Pr[/5' = (3] ~ | in the simulation. As in 110., a solution 
consists in artificially aborting the simulator at the end of the guess phase, so 
that the overall probability of aborting is made nearly constant. 

First, we analyse the probability that the simulator B aborts when answering 
a private-key query or in the challenge phase. To start with, we fix all the random 
variables that the adversary can see, including its random coins: we fix the bdh 
tuple (g,A = g a ,B = g b ,C = g c ,z), the public parameters u' and the Uj. We 
also fix the random numbers r' used when answering private-key queries, and 
the binary coin 7. Let ^3 denote those fixed parameters. The adversary can then 
be seen as a deterministic algorithm. In particular, the identities v\ 1 < j < q 
queried by the adversary are fixed, and also the challenge identity v*. 

We observe that when those random variables are fixed, the random variables 
x' and Xi still have an independent and uniform distribution between zero and 
m — 1, and k has a uniform distribution between zero and 2 • n — 1. We let 
V = (v , . . . , v q ) be the list of private-key queries and let X = (x', x%, . . . , x n ). 

We define the function : 



We have that the simulator B does not abort iff t(X, v, v*, k) = 0. In Appendix 
A, we show the following lower bound for the probability that B does not abort : 



In the following, we modify the simulator so that it always aborts with 
probability nearly A. In the guess phase, the new simulator B' will sample an 
estimate 7/ of the probability Pr x ,k[ T (X , v, v*, k) = 0]. This probability is a 
function of v and v*. Then if rj' > A, simulator B' will proceed as in B with 
probability A/r/, and artificially abort with probability 1 — X/rj'; in this latter 
case, it outputs a random guess for (3'. If rj' < A, the simulator B' does not 
artificially abort. 

We assume that the simulator makes 0(e~ 2 ln(£ _1 )A _1 ln(A -1 )) samples. Us- 
ing Chernoff 's bound, one obtains the following bound for the estimate 77' of rj : 




0, if F(v*) = and F(v j ) ^ mod m for all 1 < j < q 



1, otherwise 



Pr[r(X,v,v*,k) = 0] > A 



1 



X,k 



4 • q ■ 2 e ■ n 



Pr\\rf -r/\ > rj - e/S) < A 



(4) 
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Let Art denote the event that the simulator artificially aborts in the guess 
phase. Let Abort denote the event that the simulator aborts, either artificially 
or not. Then for a fixed parameter we have : 



Pr[abort] = Pr [r(X, v, v*, k) = 0] ■ Pr[Art] = rj ■ Pr[Art] 

X.k 

We distinguish two cases : if rj ■ (1 — e/8) > A, then for a fixed rj', if \rf — i]\ < 
T) • e/8, we have that rf > A which gives Pr[Art] = \/rf and : 



A - (l-e/8) < 



A 



< Pr [Abort] < 



A 



1 + e/8 ~ 1 1 ~ 1 - e/l 
Then for a randomly sampled rf , we obtain using (0J) : 



< A - (l + e/4) 



Pr[Abort] — A < A • e/2 



(5) 



One can show that the same inequality holds if rj • (1 — e/8) < A. Then since 
inequality (jSJ) holds for any fixed parameter ^3, this remains true for a random 
^3, conditioned on 7' = 7 or 7' 7^ 7, that is : 



Pr[abort|7' = 7] - A < A • e/2 



Pr [abort |7 7 ^ 7] - A < A • e/2 



(6) 
(7) 



We have that if (3 — 1, the simulator succeeds if it outputs (3' = 1; this happens 
if it aborts and then correctly guesses (3' (with probability |), or if it does not 
abort and 7 = 7': 



Pr[/3' = 1] = Pr[/5' = 1 A abort] + Pr[/3' = 1 A abort] 



- • (1 - Pr[abort]) + Prfy' = 7 A abort] 

- + - (Pr[7' = 7 A abort] - Pr[Y / 7 A abort]) 



= - + - (Pr[abort|7' = 7] • Pr[V = 7] - Pr[abort|7' ^ 7] • Pr^' ^ 7] 
Using inequalities (0) and (J7|), we obtain : 



Pr[/3'= l|/?= 1] 



>^|Pr[7' = 7]-Pr[ 7 V7]|-~-£ 



Since the adversary is a (t, q, e) -adversary, we have that : 



Pr [ 7 ' = 7 ]__ 



> e 



This gives : 



Pr[/?' = 1|/5=1] -- 



> A 



Pr[y = 7 ]-_ 



A A 
2 ~ 2 
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Finally, when (3 = 0, the simulator either aborts and outputs a random (3', or 
does not abort and outputs (3' — 1 if 7 = 7'. Since for (3 = the adversary has 
no information about 7, we obtain in both cases : 



Pr[(3' 



1\P = 0] 



1 



2 



This gives : 



Pt[/3' = 1] 



1 1 
- > - 

2~4 




16-g-2 £ -n 



which terminates the proof. 



□ 



6 All in All... 



The previous theorem shows that the probability of breaking the new IBE scheme 
is lesser than q ■ 2 £+4 • n times the probability of solving the dbdh problem 
under similar timing constraints; recall that £ is the factor by which the public 
parameter size is divided compared to Waters' scheme. When £ = 1 we recover 
the security level of Waters' scheme. This means that when the public parameter 
size is divided by a factor £, the security gets reduced by £ bits. Thus, one needs 
to strike a trade-off between security and public parameter size. 

We recommend to take £ = 32. This means that we loose 32 bits of security 
compared to Waters' scheme (this is so slight for all engineering purposes one 
can conisder that no security is lost). Note however that this does not necessarily 
mean that there exists an attack against the new scheme that is 2 32 faster than 
the best attack against Waters' scheme. Currently the best known attack against 
both schemes consists in solving the discrete-logarithm problem in G. When G 
is the group of points of a well chosen elliptic curve, this requires exponential 
time. Actually, those 32 security bits correspond to the difference between the 
security level that can be guaranteed for Waters' scheme and the security level 
that can be guaranteed for the new scheme; again, this does not necessarily 
mean that the new scheme is "less secure" than Waters' scheme in practice. 

With £ = 32 and n' — n • £ — 160, we obtain n = 5 (instead of n — 160 in 
Waters' scheme), and the public parameter size is still n + 4 group elements. 

Therefore, when an elliptic curve over F 2 is used (the simpler setting) with 
a 512-bit prime p, the public parameter size is nine kilobytes (4.5 kilobytes 
with compressed points) instead of 164 kilobytes (82 kilobytes with compressed 
points). 

To further compensate security, one can also use a larger prime p. For ex- 
ample, with a 1024-bit prime p, the public parameter size becomes eighteen 
kilobytes (nine kilobytes with compressed points). 

In conclusion, we have introduced a variant of Waters' identity-based en- 
cryption scheme with a much smaller public-key size (only a few kilobytes). We 
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proved that this variant is a fully secure in the standard model. The new scheme 
allows to compress the public parameter size by a multiplicative factor of £, at 
the cost of reducing the security level by only £ bits. 

Therefore, the new scheme constitutes the first fully secure and fully prac- 
tical identity-based encryption scheme known to date. 
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A Bounding The Abortion Probability 



We want to show that : 



Pr[r(X,v,v*,k) = 0] > A 



1 



4 • q ■ 2 £ ■ n 



where : 




0, if F(v*) = and F(v j ) ^ mod m for all 1 < j < q 



1, otherwise 



First, we define the modified function t'(X, v,v*) : 



0, if F(v*) = mod m 



t'(X,v,v*) 



and 

F(v j ) ^ mod m for all 1 < j < q 
1, otherwise 
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Vf , we have that 

n 

< x + Vi • Xi < m — 1 + n ■ (2 e - 1) • (m - 1) < m ■ n ■ 2 e 

»=i 

This shows that if F(v*) = mod m, then there is a unique < k < n ■ 2 e 
such that F(v*) = over the integers. Since k is uniformly and independently 
distributed between zero and 2 • n — 1, we have that : 

Pr [r(X, », «*, k) = 0] = ^ • Pr[r'(X, », «*) = 0] (8) 

We denote by Aj the event that the simulator can answer the j-th private-key 
query : 



Aj : v{ ■ x-i 7^ mod 



m 
i=i 

and by B' the event : 

n 

B' : t>* • Xi — mod m 

i=i 

We have that : 

Pr[r'(X ! «,t;*) = 0] = Pr[ / A y A j AB'] (9) 

i=i 

We have : 

g g q 

Pr[/\Aj|B'] = l-Pr[Y^Aj|B'] > 1 - ^Pr[-.A j |B / ] (10) 

j=i j=i j=i 

The pairwise independence of the function F(v) mod m stems from the follow- 
ing lemma, which proof is straightforward : 

Lemma 1. Let x' and Xi, . . . ,x n be random variables uniformly distributed be- 
tween zero and m — 1 and let F(v) = x' + X^ILi v % ' x i- Then for all v ^ v' and 
all a, a' G Z m; 

Pt[(F(v) = a mod m) A (F(v') = a' mod m)] = — - 
The previous lemma shows that Pr[B'] = 1/m and that for all j : 

PrhAj | B <] = = I 

1 Jl J Pr[B'] m 

Then using ©, ©, ffTOfl . we obtain : 

Pr W ,,„-, t )=0]>^.(l-l)i 
And m = 2 ■ q yields the following lower bound A : 

1 



Pr[r(X,v,v*,k) = 0]>X = - 
x,k 4 • q ■ 2 l ■ n 
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